On Tue, Aug 26, 2014 at 05:17:08PM +0300, Nerijus Kislauskas wrote: > I'm doing an installation of our university main mail gateway. Assume, > that with one postfix instance I want to receive mail mx-1.domain.tld > (inbound policy)
The MX hostname is irrelevant, some machine name or other will appear in your MX records. > and provide mail services to our employees with > smtp.domain.tld (outbound policy). This submission hostname will appear in the mail client settings of the users. Use port 587 with TLS for submission. > My postfix instance should listen on mx-1.domain.tld:25. That's the MX host service. > There I will put postscreen in front. For outbound > mail the same instance should listen on smtp.domain.tld:{25,465.587}. For a new installation, DO NOT implement port 25 submission. Make it only 587 and only if unavoidable 465. > Can I get rid of configuring master.cf? No, because the stock master.cf has the port 587 (and 465) submission services commented out. > If it is possible, how? If not, > what is better: put mx or smtp listeners in master.cf? All SMTP listener end-points go into master.cf. The postscreen for port 25, and the submission services, plus the "smtpd pass" service for postscreen handoff. You can do this with a single Postfix instance, or a separate submission instance (probably better in the long run, maybe even on a separate machine or VM). > In production there will be 3 postfix instances with 2 domains being > served as mx and smtp, 1 for system itself, over 16 IP adresses (both v4 > and v6) and a cluster on top of that. I need as much simple > configuration as it could be. Simple is in the eye of the beholder. Read: http://www.postfix.org/MULTI_INSTANCE_README.html Do you prefer multiple single-purpose individually simpler configurations, or a monolithic configuration that is more complex internally, but centralizes all the logic? Your call. As the author of MULTI_INSTANCE_README, I can't give an impartial opinion. If you have sufficiently complex requirements for submission (different content filtering, different rewriting logic, ...) you're better off with a separate instance most likely. If your submission processing sufficiently closely resembles your inbound processing, a single instance may suffice. -- Viktor.